Closed michaelpj closed 4 years ago
This is still a problem - any chance this could be merged?
Okay, I think I've pinpointed the issue a bit more: this only causes problems trying to build yarn2nix
itself on hydra. Which is still quite helpful to be able to do.
And indeed this appears to no longer be enough to fix the problem :/ There are more places where e.g. src + "/package.json"
is accessed...
src + "/package.json"
shouldn't cause an IFD AFAIK, from my experiments ./foo/bar
and ./foo + "/bar"
are equivalent expressions.
To be clear, it's not IFD per se. The errors I get are like this:
error: access to path '/nix/store/9c7q9q0ma2i5bcgkv5whpyx5l62v7ply-yarn2nix/package.json' is forbidden in restricted mode
So what's going on is that the yarn2nix
source gets sucked into the nix store, and then when we access src + '/package.json'
that is apparently not allowed. I don't entirely understand why, to be honest.
@edolstra do you have any idea why this fails?
I ran into the same issue while trying to use yarn2nix in a flake. You can reproduce the problem by running nix run github:hopglass/hopglass-server/12ace3c
Looks like it got fixed better.
I think it's still an issue for users of yarn2nix. Make sure to pass the package.json explicitly if you are filtering the source.
Can we reopen this, it's still broken for me in restricted mode on Hydra, see https://hydra.iohk.io/jobset/Cardano/plutus-pr-1962#tabs-errors for https://github.com/input-output-hk/plutus/pull/1962
Hi, you are using nixpkgs from the nixos-19.09 branch in your repository, which does not yet have https://github.com/NixOS/nixpkgs/commit/ed90e59fc293c412c2a4f51024932a4245384549. This would be required to fix the build in restricted mode. You could either update nixpkgs to nixos-20.03 branch or add the latest version of the yarn2nix repository as an additional source to yourn niv environment and use mkYarnPackage and yarn2nix from here.
ok thanks, I look forward to us upgrading to 20.03 :)
Fixes #102 .
This is unfortunate in that we'll pull more stuff into the store and rebuild more often. But the current version doesn't work in restricted eval mode on hydra, and even a trivial use of
builtins.filterSource
causes that.